On Tue, Oct 14, 2014 at 4:51 PM, Clemens Lang <c...@macports.org> wrote: > Hi, > > ----- On 14 Oct, 2014, at 08:39, Mojca Miklavec mo...@macports.org wrote: > >> - One could fetch files from SVN, zip them, checksum the zip, store >> the zip as if the zip was fetched from elsewhere and just unzip that >> file during the repeated installation. Fetching from SVN doesn't mean >> that we cannot use checksums and other benefits. > > That only holds true if zip doesn't have any side effects, like storing > the creation date or similar.
Yes, some care needs to be taken, but I'm sure that something is feasible. A while ago I played with git and found a way to do tar.gz/bz/xz files in a reproducible way. This also means that fetching from GIT (and probably from SVN as well) could still lead to .tar.gz files being available on the mirrors. SVN might(?) need some touching of folders to make sure that timestamps are not off, but that's pure speculation. > I'd rather propose to add a checksum using the method outlined in the > SPDX specification, version 1.2, section 4.7 [1] (which is basically a > hash of the concatenation of a sorted list of hashes of files in a > package). > > > [1] http://spdx.org/sites/spdx/files/spdx-1%202.pdf The drawback would be that one would have to extract files and checksum all the files before being able to tell whether the file is OK. Either way, my point was that there is absolutely no need to keep avoiding SVN just because "we cannot do any checksums". Mojca _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-dev